If you can remember your password, it's not secure enough - interview
The widespread belief that changing one digit across passwords is effective for securely surfing the net might cost you losing access to all your existing accounts.
Passwords are a tricky matter. On one hand, you want to make them as diverse and complex as possible. On the other, a person can only remember so much, with passwords for every single online account definitely not making it high up in the memory’s priority list.
Thankfully, technological advances have led to the creation of password managers, which do not only store, but also generate, manage, and secure passwords. They are an elegant and effective way to ensure maximum security for your accounts, with different companies offering additional features on top of that.
NordPass has been a respected password manager since its launch in 2019. It was developed by Nord Security, which created projects like NordVPN and NordLayer. NordPass allows you to securely store passwords in a single place without having to remember them.
Mantas Sasnauskas, the Senior Security Researcher at CyberNews, talked to Gediminas Brencius, Head of Product for NordPass, to find out what makes NordPass stand out from other password managers, and how to ensure your personal data remains safe.
Recently, you did quite a comprehensive password research, looking at password usage by gender and location. Could you comment on the major commonalities of weak passwords: maybe there are some running trends?
When you see people from all around the world using the same passwords, you can just dig in and understand the concept of being lazy and acting risky online. We see passwords like 12345 and 123456 repeating themselves every single year. People tend to add an additional digit to their passwords. That doesn't make them any more secure, but people just imagine this helps.
There are passwords like football team names and things that are really common. They never change, as it's difficult to impact human behavior. So by publishing those reports, we're trying to ensure that people understand that nothing they do with their passwords is unique. They can be breached at any point.
What kind of technology do you use to encrypt peoples’ passwords?
At the moment, we're using the encryption algorithm called XChaCha20, which is said to be the most advanced encryption algorithm. And yes, we can't see anything. Therefore, even in case of a breach, nobody else can actually access whatever they found in those servers. But I'm sure that that's not going to happen anyway.
Could you explain a little more how this enhances the average person’s privacy?
Well, if we don't know anything about our users, nobody else can know it apart from the users themselves. In general, password managers should be implemented by everybody because one of the key problems is that if you can remember your password, it's not secure enough. And if you remember more than one password, it's even less secure. So you have to have the ability to use completely random passwords. Use any sort of technology that helps you do that. Coming from NordPass, we are giving users the opportunity to hold all of their passwords, all of their unique and completely secure passwords in one single place, and then auto-fill them so that we take out the need from our user to remember, to write down, or to do anything with their passwords apart from just using them whenever they need.
I want to ask you about the login process with NordPass in particular. You made changes last year, making your apps use Nord Account, which signed you initially through the browser. This is pretty unique, and I haven't really come across something similar with other password managers. Could you tell me a bit more about why you're doing this and what are the security benefits of this approach?
The main reason is that many desktop apps like Slack, for example, are moving away from having login methods within their apps to browser authentication. This is because there's the open ID protocol, which is used through the majority of these apps. And that's why we've decided that this is the next step for app authorization and logins.
At the same time, we have expanded our portfolio from just being NordVPN to being NordLocker and NordPass, as well. So we needed to find a way to ensure that users only have to authenticate once and can use all three tools simultaneously. This helped us work out a product like Nord Account which works in a similar way to Facebook login. You go through the authentication process with a Nord Account, and then you can jump in and use whatever app you need, providing it comes from Nord Security.
For you, what’s it like - working for such a well-established company?
It's interesting, challenging, and very rewarding at the same time. We're building a tool that's used by many, many people. It's inevitable for us to jump in and see all of the different things that people need to do to ensure that their password security is up to par. So the team that we have here at NordPass is incredible. I'm really grateful for the opportunity to be working on a product such as NordPass.
What is the most beneficial offering NordPass has in terms of security?
By providing tools like Data Breach Scanner, Password Health, and password generators, we're building this security ecosystem that helps our users have a full-on security bubble around them.
Where do you think password security will be in the upcoming years? And how will NordPass evolve?
Password management and internet security are moving in the direction of biometrics. The passwordless future is an incredible buzzword that's getting louder every day. So we're trying to stay ahead of this and other cybersecurity trends.
We've got loads of exciting things planned for NordPass. We're moving in the direction of digital identities and just many more things that are still under the radar. I imagine that password management is not going to be the same as it is now, and it's going to evolve into something very special very soon.
Do you envision a passwordless future for us?
Of course, big players like Microsoft are moving in that direction. They're just starting the revolution, I think. And for us, and for other password managements and managers online, it's necessary to react to this. The passwords are the weak point most of the time. So by removing this weak point, we can ensure that password and account security are going to be brought to the next level very soon.
What is the most important advice you can give about password security?
Use unique generated passwords that you cannot pronounce yourself. Another crucial thing is to use multifactor authentication whenever possible. So even if your accounts get breached, you will still have this additional layer of security.
Another interesting concept that I think is very beneficial for information security is using compartments for your information. For example, if you have many different social accounts, you should use a specific email address for those. So that if, for example, one of your shopping services gets breached, you only get hit in that very small area of your digital life. That really helps to ensure that you can understand where the problems and bad actors are.